CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2016-5331 – VMware vSphere Hypervisor (ESXi) HTTP Response Injection
https://notcve.org/view.php?id=CVE-2016-5331
CRLF injection vulnerability in VMware vCenter Server 6.0 before U2 and ESXi 6.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. Vulnerabilidad de inyección CRLF en VMware vCenter Server 6.0 en versiones anteriores a U2 y ESXi 6.0 permite a atacantes remotos inyectar cabeceras HTTP arbitrarias y llevar a cabo ataques de separación de respuestas HTTP a través de vectores no especificados. The SySS GmbH found out that the web server of VMware ESXi 6 is vulnerable to HTTP response injection attacks, as arbitrarily supplied URL parameters are copied in the HTTP header Location of the server response without sufficient input validation. Thus, an attacker can create a specially crafted URL with a specific URL parameter that injects attacker-controlled data to the response of the VMware ESXi web server. Depending on the context, this allows different attacks. • http://packetstormsecurity.com/files/138211/VMware-vSphere-Hypervisor-ESXi-HTTP-Response-Injection.html http://seclists.org/fulldisclosure/2016/Aug/38 http://www.securityfocus.com/archive/1/539128/100/0/threaded http://www.securityfocus.com/bid/92324 http://www.securitytracker.com/id/1036543 http://www.securitytracker.com/id/1036544 http://www.securitytracker.com/id/1036545 http://www.vmware.com/security/advisories/VMSA-2016-0010.html • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2016-2082
https://notcve.org/view.php?id=CVE-2016-2082
Cross-site request forgery (CSRF) vulnerability in VMware vRealize Log Insight 2.x and 3.x before 3.3.2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. Vulnerabilidad de CSRF en VMware vRealize Log Insight 2.x y 3.x en versiones 3.3.2 permite a atacantes remotos secuestrar la autenticación de victimas no especificadas a través de vectores desconocidos. • http://www.securitytracker.com/id/1036078 http://www.vmware.com/security/advisories/VMSA-2016-0008.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.9EPSS: 0%CPEs: 16EXPL: 0CVE-2016-2079
https://notcve.org/view.php?id=CVE-2016-2079
VMware NSX Edge 6.1 before 6.1.7 and 6.2 before 6.2.3 and vCNS Edge 5.5 before 5.5.4.3, when the SSL-VPN feature is configured, allow remote attackers to obtain sensitive information via unspecified vectors. VMware NSX Edge 6.1 en versiones anteriores a 6.1.7 y 6.2 en versiones anteriores a 6.2.3 y vCNS Edge 5.5 en versiones anteriores a 5.5.4.3, cuando la característica SSL-VPN está configurada, permiten a atacantes remotos obtener información sensible a través de vectores no especificados. • http://www.securitytracker.com/id/1036077 http://www.vmware.com/security/advisories/VMSA-2016-0007.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2016-2081
https://notcve.org/view.php?id=CVE-2016-2081
Cross-site scripting (XSS) vulnerability in VMware vRealize Log Insight 2.x and 3.x before 3.3.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en VMware vRealize Log Insight 2.x y 3.x en versiones anteriores a 3.3.2 permite a atacantes remotos inyectar secuencias de comandos web y HTML arbitrarios a través de vectores no especificados. • http://www.securitytracker.com/id/1036078 http://www.vmware.com/security/advisories/VMSA-2016-0008.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2015-6931
https://notcve.org/view.php?id=CVE-2015-6931
Cross-site scripting (XSS) vulnerability in the vSphere Web Client in VMware vCenter Server 5.0 before U3g, 5.1 before U3d, and 5.5 before U2d allows remote attackers to inject arbitrary web script or HTML via a crafted URL. Vulnerabilidad de XSS en el vSphere Web Client in VMware vCenter Server 5.0 en versiones anteriores a U3g, 5.1 en versiones anteriores a U3d y 5.5 en versiones anteriores a U2d permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una URL manipulada. • http://www.securitytracker.com/id/1036112 http://www.vmware.com/security/advisories/VMSA-2016-0009.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •